-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
143 lines (93 loc) · 5.15 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
iCloak
------
What is this?
-------------
iCloak is a simple collection of codes for making invisible your stuff in kernel mode. This is done merely by using DKOM
techniques. Until now it works in Linux (4.4.x or later), FreeBSD and NetBSD.
How can I clone this?
---------------------
You can do the following:
you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/icloak
you@somewhere_over_a_tainted_rainbow:~/src# cd icloak/src
you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# git submodule update --init
or:
you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/icloak --recursive
How can I build it?
-------------------
You should not build anything. All you should do is to include the icloak src sub-directory and the platform dependent
code (within src/<platform-name>) in your own LKM stuff. Anyway, if you want to execute the icloak tests you need to
install my build system (https://github.com/rafael-santiago/hefesto).
Once the build system well installed, you should clone another repo of mine:
you@somewhere_over_a_tainted_rainbow:~/src# git clone https://github.com/rafael-santiago/helios
you@somewhere_over_a_tainted_rainbow:~/src# cd helios
you@somewhere_over_a_tainted_rainbow:~/src/helios#
#if defined(__linux__)
you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=lnx-module-toolset
#elif defined(__FreeBSD__)
you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=freebsd-module-toolset
#elif defined(__NetBSD__)
you@somewhere_over_a_tainted_rainbow:~/src/helios# hefesto --install=netbsd-module-toolset
#else
# error "what are you doing here?"
#endif
you@somewhere_over_a_tainted_rainbow:~/src/helios# cd ..
you@somewhere_over_a_tainted_rainbow:~/src# rm -rf helios
Now your build system copy knows how to make the icloak tests, so let's go back to the icloak repo and run the build:
you@somewhere_over_a_tainted_rainbow:~/src# cd icloak/src
you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# hefesto
[ 210.547192] *** icloak_test_monkey loaded...
[ 210.550091] -- running icloak_ko_nullity_tests...
[ 210.568997] -- passed.
[ 210.570002] -- running icloak_mk_ko_perm_nullity_tests...
[ 210.571817] -- passed.
[ 210.572462] -- running icloak_mk_ko_perm_tests...
[ 210.572996] -- passed.
[ 210.573997] -- running icloak_ko_tests...
[ 210.574695] -- passed.
[ 210.575002] *** all tests passed. [4 test(s) ran]
you@somewhere_over_a_tainted_rainbow:~/src/icloak/src# _
In normal conditions you will get the output described above. You should notice that will be possible successfully execute
the tests only once before restarting. Because the test module hide itself in order to ascertain that all 'invisibility
incantation' is working well.
Wearing icloak on your LKM
--------------------------
Pretty simple. All you should do is to include the main icloak header:
#include <icloak.h>
...and pass to icloak_ko() macro your LKM's name:
icloak_ko("hidden_mod");
There is a trick to get a better invisibility in FreeBSD, you should let the kernel object file with the same name used
for naming your module during the struct 'moduledata_t' definition.
You can also include two icloak_ko():
// One for the kernel object file.
icloak_ko("hidden_mod.ko");
// Another for the module name.
// This second will return a non zero value...
// Just ignore this return...
// This return is only saying 'You really should simplify this stuff' ;)
icloak_ko("rootkit_sample");
You also can make your LKM permanent by using the macro icloak_mk_ko_perm():
icloak_mk_ko_perm("hidden_mod", NULL);
The second argument of icloak_mk_ko_perm() is a (void **). When not null it will point to the old exit module's function.
This is handy when you intend to make it non permanent again:
void *hidden_mod_exit;
icloak_mk_ko_perm("hidden_mod", &hidden_mod_exit);
By the way, in order to make the module non permanent you should use the macro icloak_mk_ko_nonperm():
icloak_mk_ko_nonperm("hidden_mod", hidden_mod_exit);
All these 'invisibility macros' return zero on success.
Until now icloak_mk_ko_perm() and icloak_mk_ko_nonperm() are not available for NetBSD.
Wearing icloak on ordinary files
--------------------------------
iCloak can also hide secondary files. The file hiding feature is based on file names not full paths. Supposing you want to
hide the file '/etc/mr.hide', you should use icloak_hide_file() as follows:
// It will hide any 'mr.hide' occurrence in the filesystem.
icloak_hide_file("mr.hide");
The icloak_hide_file() macro does not expect an exact file name, you can use globs instead:
// Globs are awesome and handy! :)
icloak_hide_file("test[0123456789].*");
icloak_hide_file("*.l0g");
icloak_hide_file("test?.txt.hidden");
If for some reason you want to show the file again, all you should do is to pass the exact file name or related pattern to
icloak_show_file():
icloak_show_file("mr.hide");
icloak_show_file("*.l0g");
The icloak_hide_file() and icloak_show_file() macros also return zero on success.